{
	"id": "e6597f5f-9780-413f-8717-37bf46433f48",
	"created_at": "2026-04-10T03:21:15.827973Z",
	"updated_at": "2026-04-10T03:22:17.0911Z",
	"deleted_at": null,
	"sha1_hash": "a966bc5e5f0ecff75a2d9413a6b9175ca5a17d78",
	"title": "Dark Web Profile: Royal Ransomware - SOCRadar® Cyber Intelligence Inc.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121490,
	"plain_text": "Dark Web Profile: Royal Ransomware - SOCRadar® Cyber Intelligence\r\nInc.\r\nBy Cem Sarı\r\nPublished: 2023-01-09 · Archived: 2026-04-10 03:12:19 UTC\r\nBy SOCRadar Research\r\n[Update] November 14, 2023: See the subheading: “CSA Update from CISA and FBI: Royal Ransomware’s Possible\r\nRebranding to ‘Blacksuit’” \r\nRansomware attacks have been rising in recent years, with the frequency of attacks increasing. In 2021, several high-profile\r\nransomware attacks made headlines, such as the attack on the Colonial Pipeline. This attack resulted in the temporary\r\nshutdown of the pipeline, which caused fuel shortages and panic buying in some areas. This incident could have led to a\r\ncrisis within the country. \r\nIn addition to targeting large companies, ransomware attacks are frequently directed at small businesses, hospitals, and other\r\norganizations with less robust cybersecurity measures.\r\nIn November 2022, the Royal Ransomware group was the most actively operating ransomware group, and the group is\r\ncontinuing to damage organizations.\r\nDaily Dark Web’s infographic of Ransomware activities in November 2022 (Source: Daily Dark Web) \r\nWho is Royal Ransomware Group? \r\nRoyal Ransomware strain was first detected on DEV-0569’s (threat actor) operations in September 2022. The actors behind\r\nthe Royal are composed of experienced individuals from other ransomware operations, such as Conti, and operate\r\nindependently without any affiliates. Royal Ransomware group operates professionally rather than adopting Ransomware-as-a-Service as most other groups work.\r\nAccording to SOCRadar’s dark web team’s findings, Royal Ransomware primarily targets the manufacturing industry. It\r\ncould be because of the broad attack surface area, such as various specialized equipment and managed software used in the\r\nfield. Plus, the limited IT and security workforce may have led to factories becoming easy targets for cybercriminals. In\r\naddition, the probability of getting paid the ransom is high for ransomware groups considering that the extended downtime\r\nwill increase the damage to facilities.\r\nTargeted industries of Royal Ransomware\r\nHow Royal Ransomware Group Attacks? \r\nAccording to BleepingComputer, Royal Ransomware attacks used a technique called callback phishing, which involves\r\ntricking victims into believing they need to take some action, such as returning a phone call or opening an email attachment.\r\nAn example of Royal’s callback phishing mail (Source: Bleeping Computer) \r\nWhen the victim reaches Royal, the group uses social engineering techniques to persuade the victim to install their remote\r\naccess software -a malware downloader that poses legitimate applications like Zoom and Microsoft Teams– and get initial\r\naccess to the network of the victim’s organization. \r\nDiagram of DEV-0569‘s attack chain, which is a threat actor that uses Royal Ransomware actively (Source:\r\nMicrosoft)\r\nSOCRadar Researchers took a sample and analyzed Royal Ransomware, which is detailed in the “Analysis of Royal\r\nRansomware” section below. \r\nIn addition, the group generally uses the double-extortion method, which means they also exfiltrate sensitive data before\r\nencrypting it for ransom. Also, the group’s ransom demand ranges between $250,000 to over $2 million. \r\nWhich Countries Did Royal Ransomware Target? \r\nRoyal ransomware group’s victims are commonly from Europe and the American continent.\r\nAffected countries by Royal Ransomware \r\nSOCRadar researchers analyzed about 70 observed claims from Royal Ransomware since September 2022 and found that\r\naround 69% of the attacks were made against organizations in the United States.\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 1 of 7\n\nRoyal Ransomware’s percentage distribution of target countries from its latest attacks\r\nFindings on Royal Ransomware \r\nSince it has damaged about 75 organizations and continues its operations actively, SOCRadar researchers browsed open\r\nsources. They examined the Royal Ransomware sample obtained from the Malware bazaar platform to learn which activities\r\nare happening after it starts working on infected systems. The findings of the sample can be seen below: (You can find the\r\nIOCs of Royal Ransomware used in the analysis at the Appendixes section) \r\nSeveral anti-analysis techniques were encountered when the Royal Ransomware ran step by step. After these stages were\r\npassed, it was seen that the process compares three arguments: “-path,” “-id,” and “-ep.”\r\nThe“-id” parameter could be for the victim ID, “-path” could be for the directory path, and the “-ep” parameter, as we\r\nobserved, refers to the encryption percentage of the file.\r\n“-path”, “-id”, and “-ep” parameters used in Royal Ransomware \r\nAlso, the program skips the encryption process for all the files with extensions “dll,” “bat,” “royal,” or “exe.“\r\nSkipping files with extensions dll, bat, exe, and royal.\r\nSkipping files with extensions dll, bat, exe, and royal.\r\nThe program encrypts files using AES and IV and changes the extension of files with “.royal.”\r\nAES and IV key generation processes (Source: TrendMicro)\r\nWhen the encryption process starts, the first “README.TXT” file, which contains the ransom note, is created under\r\nthe C:Program Files directory. \r\nFirst file that contains ransom note observed in C:Program Files\r\nRoyal’s Ransom note (Source: BleepingComputer)\r\nThe URL link in the ransom note directs the victim to the Contact page of Royal:\r\nContact form page of Royal\r\nThe Royal group uses another page to share their claims:\r\nRoyal’s page that they share their claims and links of their exfiltrated files\r\nSecurity researchers observed that the group first used BlackCat‘s encryptors and Zeon’s ransom notes. These notes changed\r\nto Royal’s ransom notes in September 2022. \r\nZeon ransom note (Source: BleepingComputer)\r\nAdditionally, the ransom note used by Royal ransomware was similar to that used by Conti –observed as Zeon after Conti\r\nstopped operating- and the code used to decrypt files was also used by Conti. \r\nCSA Update from CISA and FBI: Royal Ransomware’s Possible Rebranding to ‘Blacksuit’\r\nCISA and the FBI have issued an update for the joint Cybersecurity Advisory (CSA) on Royal Ransomware as part of\r\nthe #StopRansomware initiative. Emphasizing the widespread impact across critical infrastructure sectors, including\r\nmanufacturing, communications, healthcare and public healthcare (HPH), and education, CISA has revised the CSA to\r\nenhance guidance for organizations.\r\nThe update reveals that Royal Ransomware has targeted over 350 known victims globally since September 2022,\r\nwith ransom demands surpassing $275 million.\r\nMoreover, and most importantly, there are indications that Royal Ransomware may undergo re-branding or introduce a\r\nspinoff variant, Blacksuit. The speculation stems from the fact that Blacksuit Ransomware shares several identified coding\r\ncharacteristics similar to Royal Ransomware.\r\nThe updated CSA offers additional insights into tactics, techniques, and procedures (TTPs) and indicators of compromise\r\n(IOCs) for both Royal ransomware variants and Blacksuit. FBI investigations identified these TTPs and IOCs as recently as\r\nJune 2023.\r\nFor extensive details, consult the advisory on CISA’s website.\r\nRoyal Ransomware Malware Analysis\r\nExecutive Summary\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 2 of 7\n\nThreat Identifiers\r\nName Royal Ransomware\r\nThreat\r\nType\r\nRansomware\r\nDetections Full List (VirusTotal)\r\nTor Address\r\n• hxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion\r\n• hxxp[:]//royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd[.]onion\r\nNoticeable\r\nBehaviors\r\nRansomware skips the encryption process for all the files with extensions “dll, bat, royal, exe.“\r\nThose sub-folders and files are not encrypted by the ransomware. “Windows, Royal, Perflogs, Tor\r\nbrowser, Boot, $recycle.bin, Windows.old, $window.~ws, $windows.~bt, Mozilla, Google”\r\nConclusion\r\nThe attacks of this group occur more often, and their pattern should be kept in mind to be safe. The\r\ngroup mainly uses callback phishing to get initial access to its victims. Organizations should provide\r\ncybersecurity awareness training for their employees to prevent attacks from callback phishing.\r\nRoyal ransomware is a recent threat that appeared in 2022 and was particularly active during recent months. The\r\nransomware deletes all Volume Shadow Copies and avoids specific file extensions and folders. It encrypts the network\r\nshares found in the local network and the local drives. A parameter called “-id” that identifies the victim and is also written\r\nin the ransom note must be specified in the command line.\r\nThe files are encrypted using the AES algorithm (OpenSSL), with the key and IV being encrypted using the RSA public key\r\nthat is hard-coded in the executable. The malware can fully or partially encrypt a file based on the file’s size and the “-ep”\r\nparameter. The extension of the encrypted files are changed to “.royal.”\r\nRansomware Composition\r\nWhen run as an administrator, Royal ransomware runs two sub-processes and terminates them after. Terminations could be\r\nbecause the tool used for analysis may be detected by the parent process, or it could terminate itself by detecting the virtual\r\nmachine environment. This will be answered in the static analysis section.\r\nThe findings gathered using Sysmon, Process Monitor and Event Viewer can be seen in the table below:\r\nProcess Name Command Line\r\nvssadmin.exe delete shadows /all /quiet\r\nconhost.exe ??C:WINDOWSsystem32conhost.exe 0xffffffff -ForceV1\r\nslui.exe ??C:WINDOWSSystem32slui.exe -Embedding\r\nvssadmin.exe\r\nVolume Shadow Copy Service or VSS is a Windows service that allows taking manual or automatic backup copies\r\n(snapshots) of computer files or volumes, even when they are in use. It is executed as a Windows service called the Volume\r\nShadow Copy service.\r\nconhost.exe\r\nMicrosoft provides the conhost.exe (Console Windows Host) file and is usually legitimate and completely safe. conhost.exe\r\nneeds to run to allow Command Prompt to work with Windows Explorer. One of its features is that it gives you the ability to\r\ndrag and drop files/folders straight into Command Prompt.\r\nStatic Analysis\r\nOverview\r\nFile Name Royal.exe\r\nFile Size 3.013 KB\r\nFile Type Win32.exe\r\nMD5 df0b88dafe7a65295f99e69a67db9e1b\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 3 of 7\n\nSHA-1 db3163a09eb33ff4370ad162a05f4b2584a20456\r\nSHA-256 f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429\r\nThe ransomware was written in C++ and was not packed even with an entropy value of ‘6.60303’, which is thought to be\r\n82% packed malware first. Let’s examine the strings and see if we can find anything during the analysis. You can see the\r\nentropy value in the screenshot below.\r\nWhen we searched for HTTP in the strings, we found an output. This onion URL may be the contact address of Royal\r\nRansomware.\r\nThe first function call at the program’s start is shown in the screenshot below:\r\nAnti-Debugger control is provided with “IsDebuggerPresent” API. If the EAX register takes 1 as a value, the program will\r\nclose itself, and it is not possible to debug with the analysis tools; that’s why it is necessary to change it to 0 to run the\r\nprogram without closing. The anti-Debugger Bypass technique will be done during Dynamic analysis.\r\nThe function related to the OpenSSL and RC4 encryption stage is given in the image below:\r\nThe ransomware imports a hard-coded RSA public key. The OpenSSL library will be used to encrypt the files using the AES\r\nalgorithm, with the AES key being encrypted using the RSA public key:\r\nDynamic Analysis\r\nWhen executing the Royal ransomware, it takes three arguments. In this section, we will start the dynamic analysis phase by\r\nshowing what they are and for what they are used.\r\nWhen we run the program, it performs backup deletion -with child processes using the parameters we specified in the\r\nRansomware Composition section- with vssadmin.exe and conhost.exe.\r\nConhost.exe must be run to allow Command Prompt to work with Windows Explorer. One of its features is that it will\r\nenable you to drag and drop files/folders directly into Command Prompt.\r\nANY.RUN Process Graph\r\nBehavioral\r\nInformation\r\nReads the computer\r\nname\r\nChecks supported\r\nlanguages\r\nThe process checks LSA\r\nprotection\r\nroyal.exe x PID: 1568 x\r\nvssadmin.exe x x PID: 4768\r\nconhost.exe PID: 4892 PID: 4892 PID: 4892\r\nslui.exe x x PID: 1672\r\nWhen we examined the network activity, we could not find any interaction with blacklist IP addresses. All requested domain\r\naddresses are legal addresses and whitelist IP addresses.\r\nSince it is a 64-bit program, let’s run it step by step by marking the relevant parts using x64dbg in the virtual environment.\r\nDuring the Debugger, when we try to move forward by putting a breakpoint on a few specific APIs, the program closes itself\r\nand performs the terminate operation. It is clearly understood that Anti-Analysis techniques, which we see in the Static\r\nanalysis section, are used.\r\nCommand line arguments:\r\n– path: The path to be encrypted.\r\n– ep: The number that represents the percentage of the file that will be encrypted.\r\n– id: A 32-digit array.\r\nRe-examined code part where the parameters are run with Ghidra can be found below:\r\nAnti-Analysis Section\r\nWe saw the EAX Register value as 1 for IsDebuggerPresent, an important API that we constantly encounter in malware and\r\nwill make the analyst’s job more difficult. Let’s check again with Ghidra and start looking at what we can do for an anti-analysis bypass.\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 4 of 7\n\nAs we will see in the screenshot below, if we directly pass the function call made at the base address\r\n“00007FF6FDE0296D”, the program performs the terminate operation.\r\nLet’s skip the executing process by changing the RIP address before it terminates the process using the function call and\r\ncontinue exploring it.\r\nWe’ve detected another function call that performs another terminate operation “00007FF6FDE029CF”.\r\nLet’s perform the previous RIP address change at this stage as well.\r\nIt repeats the same actions. Now let’s start reviewing the parts we skipped. After we got through the Anti-Analysis stages,\r\nwe continued monitoring the program’s operation, as seen in the image below. Once the backups have been deleted, Royal\r\nransomware will set its exclusion paths (the files or directories spared from file encryption). The following file extensions\r\nwill be excluded from being encrypted:\r\n.exe, .dll, .bat, .lnk, README.TXT, .royal\r\nNext, the ransomware will set the list of directories excluded from the encryption process. These directories are the ones that\r\ncontain the following strings:\r\n– Windows, RoyalPreflogs, Tor Browser, Boot $recycle.bin, Windows.old, $windows.~ws, $windows.~bt, Mozilla, Google.\r\nNetwork Activity\r\nRansomware will scan the network interfaces and, if possible, retrieve the different IP addresses for the target\r\nmachine/machines using the “GetIpAddrTable” API call. It will specifically search for IP addresses that start with\r\n“192.10.100./ 172.”\r\nRoyal ransomware will establish a socket using the API WSASocketW and associate it with a completion port using\r\nCreateIoCompletionPort. It then will use the API call tones to set the port to SMB and eventually try to connect to the\r\ninstructed IP addresses via the LPFN_CONNECTEX callback function.\r\nRansomware will enumerate the shared resources of the given IP addresses using the API called NetShareEnum. If a shared\r\nresource is one of “ADMIN$” or “IPC$”, the ransomware will not encrypt it.\r\nEncryption\r\nRoyal ransomware’s encryption is multi-threaded. To choose the number of running threads, the ransomware will use the\r\nAPI call GetNativeSystemInfo to collect the number of processors in a machine. It will then multiply the result by two and\r\ncreate the appropriate number of threads accordingly. Next, the ransomware will set the RSA public key, embedded in the\r\nbinary in plain text and used for encrypting the AES key.\r\nRSA Public Key: —–BEGIN RSA PUBLIC KEY—–\r\nnMIICCAKCAgEAuWfX+pJCUCKc9xsWLVHpCpw6TL20HG/Vk4vF3GYlr6HltX7BMRfAn7oGyMztNb37xW66NX+uxHghrX3+sm23yJmSfr\r\nRegarding partial encryption, Royal ransomware gives the ransomware operator a more flexible solution for evading\r\ndetection than most ransomware. We assume this flexibility and the evasion potential it enables was a design goal for the\r\ncreators of Royal ransomware.\r\nLatest Attacks of the Group \r\nRansomware attacks on the healthcare industry increased by 81.1% in 2022 compared to 2021. Also, Health Sector\r\nCybersecurity Coordination Center (HC3) draws attention to this issue in its latest analysis of Royal Ransomware. Some\r\nrecent attacks made in the healthcare industry, such as compromising the Northwest Michigan Health Services and Happy\r\nSapiens Dental firms, are made from Royal Ransomware. The group may likely target this sector more often in the future.\r\nRoyal’s post about the Happy Sapiens Dental\r\nOne of the Royal’s most significant claims is the compromise of INTRADO, an American telecommunications company\r\nwith more than 10K employees. It is unknown which data was stolen, but according to Royal, they exfiltrated internal\r\ndocuments, passports, and driver’s licenses of INTRADO’s employees.\r\nRoyal’s claim about INTRADO\r\nCountries affected by Royal Ransomware over time, based on our findings from around 70 observations, can be seen below:\r\nTimeline of Royal Ransomware attacks\r\nThe SOCRadar dark web team constantly monitors ransomware activities and reports in the SOCRadar Dark Web News\r\npanel.\r\nSOCRadar’s Dark Web News panel under the Cyber Threat Intelligence module\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 5 of 7\n\nConclusion \r\nThe attacks of this group occur more often, and their pattern should be kept in mind to be safe. The group mainly uses\r\ncallback phishing to get initial access to its victims. Organizations should provide cybersecurity awareness training for their\r\nemployees to prevent attacks from callback phishing.\r\nEmployees should: \r\nBe cautious of unsolicited calls, texts, or emails, especially if it asks to provide personal information or login\r\ncredentials. \r\nBe cautious when providing personal information online. \r\nDo not click links or download attachments from unknown sources. \r\nUse strong passwords and assist it using 2FA or MFA solutions. \r\nKeep their systems up to date, which will help protect the devices from vulnerabilities that could be exploited. \r\nOrganizations -especially those operating in the Manufacturing and Healthcare sectors- should: \r\nRegularly update and patch software and systems. \r\nRegularly back up important data and test the backups. \r\nUse network segmentation and access controls to limit attackers’ movement within the network.\r\nDeploy and regularly update security software. (e.g., firewalls and antivirus) \r\nThese measures can help reduce the risk of Royal Ransomware, but no security measures are foolproof. It is vital to have a\r\nresponse plan in place in case of an attack.\r\nAppendixes\r\nAppendix 1.\r\nRoyal Ransomware (used sample’s information)\r\nMD5:df0b88dafe7a65295f99e69a67db9e1b\r\nSHA-1:db3163a09eb33ff4370ad162a05f4b2584a20456\r\nSHA-256: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429\r\nFile Type:Win32 EXE\r\nIOCs of Royal Ransomware:\r\n104.86.182.8:443 (TCP)\r\n20.99.133.109:443 (TCP)\r\n20.99.184.37:443 (TCP)\r\n23.216.147.64:443 (TCP)\r\n23.216.147.76:443 (TCP)\r\na83f:8110:0:0:64ca:1f00:0:0:53 (UDP)\r\na83f:8110:1749:73ff:1749:73ff:1a4b:73ff:53 (UDP)\r\na83f:8110:8401:0:2075:2cc:8401:0:53 (UDP)\r\nhxxp[:]//royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion/%s\r\nREADME.txt\r\nAppendix 2.\r\nMITRE ATT\u0026CK Techniques\r\nTechniques Name\r\nT1059 Command and Scripting Interpreter\r\nT1106 Native API\r\nT1559.001 Inter-Process Communication: Component Object Model\r\nT1129 Shared Modules\r\nT1055 Process Injection\r\nT1134 Access Token Manipulation\r\nT1134.001 Access Token Manipulation: Token Impersonation/Theft\r\nT1070.004 Indicator Removal: File Deletion\r\nT1622 Debugger Evasion\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 6 of 7\n\nT1027 Obfuscated Files or Information\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1082 System Information Discovery\r\nT1622 Debugger Evasion\r\nT1057 Process Discovery\r\nT1083 File and Directory Discovery\r\nT1135 Network Share Discovery\r\nT1518 Software Discovery\r\nT1560 Archive Collected Data\r\nT1090 Proxy\r\nSource: https://socradar.io/dark-web-profile-royal-ransomware/\r\nhttps://socradar.io/dark-web-profile-royal-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socradar.io/dark-web-profile-royal-ransomware/"
	],
	"report_names": [
		"dark-web-profile-royal-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791275,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a966bc5e5f0ecff75a2d9413a6b9175ca5a17d78.pdf",
		"text": "https://archive.orkl.eu/a966bc5e5f0ecff75a2d9413a6b9175ca5a17d78.txt",
		"img": "https://archive.orkl.eu/a966bc5e5f0ecff75a2d9413a6b9175ca5a17d78.jpg"
	}
}